We appear to still be litigating OAuth, oops

Bron Gondwana <brong@fastmailteam.com> Wed, 24 February 2021 07:07 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 604DF3A0CB1; Tue, 23 Feb 2021 23:07:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=CaxhQC/t; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=glCYN5D+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_EKMyfIguTf; Tue, 23 Feb 2021 23:07:15 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A0B33A0CAF; Tue, 23 Feb 2021 23:07:15 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id BBED2C41; Wed, 24 Feb 2021 02:07:13 -0500 (EST)
Received: from imap7 ([10.202.2.57]) by compute2.internal (MEProxy); Wed, 24 Feb 2021 02:07:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=mime-version:message-id:in-reply-to :references:date:from:to:cc:subject:content-type; s=fm2; bh=b0Vi SHARCaTV/mbrQY7acH01yIQkqnonmsMI51x8V6I=; b=CaxhQC/tjr/WOLrewKlx jlcGXvl4D6U2O+JxlET8aNXu+9SUCo7yyY0CdAFX1wwHM9c5PTpA30DfZlDpoHnV iC74cwKF2M8BvTPRUScjspEstD+/MtqbIi0L0EIxYpgicRH1RFxVUTzMpG6Qhsh7 m3IknIqN0Ts5TocK4qXRrm+bHMhJt+HInCbW7NnuVq58bMHuLoOFgj6F3v1nmymo +rqyN7zieyelu83NN3lKu4T3RhfWqBFbsCQgeK+wKf45NHmOx8XQyVQCiB5/WrAI TwOvQD5G3D0eTOsyu+1LhF6D8R9mNxN5oOrd40LmsVENisL0jIS643FLovjKE/Wj rA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=b0ViSH ARCaTV/mbrQY7acH01yIQkqnonmsMI51x8V6I=; b=glCYN5D+V+kOg461vzIhMs m8YYWGMfhRvT6EaSdMvGdDi6zAyRrBTU3MvRLQHmZfiTBT4TQIjl5DpoVN9jQqEt 79k+fY8nYxPfYijsVVielnwVljxkdE9Wo5ZBD1uJM5o7OsRhVTv/y09GHQaA0x0b j0yKV4pg/F9kp/wk2jKRCIZ/GcrVm4vgG9J8stK17ybIA6f3zlTzeVC1soFnOnDN M+WVk/Aa+WGwJz7FoTcncNSMHi2UV1UGVWs3Ia3VlOTCexXDuMPHwsys3VjR9QfI pYX6FkeAxzQxy3InQKOXExHVezP/Z5hTtbe0ZIzM30UQaWI/pq6FRxky4z8Or9fg ==
X-ME-Sender: <xms:IPs1YNu268nBZi1ZzA7RqidGno-ieswqXquvTTKv4UTqSvE4JD0jyg> <xme:IPs1YGe5f4NIxDt_5ygNpkaQIDyoKU6DWNwkL2pdw2H4a3HBlncbFoR-DConwe9VU 0ccX4Enu5o>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkeeigdellecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsegrtderreerreejnecuhfhrohhmpedfuehrohhn ucfiohhnugifrghnrgdfuceosghrohhnghesfhgrshhtmhgrihhlthgvrghmrdgtohhmqe enucggtffrrghtthgvrhhnpeduffdvjeelgffhveelieduiefgfeehudehlefhueefledv ffefueeikeduheektdenucffohhmrghinhepfihikhhiphgvughirgdrohhrghdprghrtg hhihhvvgdrohhrghdphhhuvghnihhvvghrshgvrdgtohhmnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepsghrohhnghesfhgrshhtmhgrihhlth gvrghmrdgtohhm
X-ME-Proxy: <xmx:IPs1YAzTSPLvOyjugc-FwziVX6ANTAvfVslffqFWj-_XHMGtcABP8g> <xmx:IPs1YEMQktLcufMceNdyocXlppcpUuevTdsy_ko3UrHsCarRrEbeBQ> <xmx:IPs1YN_i1DYCa1nHkjWPgQvrgH7_l6S0XsL_45Zy2FQMdYfxklyTHw> <xmx:Ifs1YPnA8-7hE-FFt8XuMVJy0XYZY7ka_cRTkDQNN8Ta3Ez6IoopAA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B048A3605A4; Wed, 24 Feb 2021 02:07:12 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-179-g81f7aba968-fm-20210222.002-g81f7aba9
Mime-Version: 1.0
Message-Id: <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com>
In-Reply-To: <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com>
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com>
Date: Wed, 24 Feb 2021 18:06:52 +1100
From: "Bron Gondwana" <brong@fastmailteam.com>
To: "Jim Manico" <jim@manicode.com>, "Phillip Hallam-Baker" <phill@hallambaker.com>
Cc: ietf@ietf.org, "oauth@ietf.org" <oauth@ietf.org>
Subject: We appear to still be litigating OAuth, oops
Content-Type: multipart/alternative; boundary=27b38bd14ad548058a080b1be730e105
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/WkysvAQ3DzNR4GpUb5deuUiCWRU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 07:07:17 -0000

On Wed, Feb 24, 2021, at 17:26, Jim Manico wrote:
> I think it’s important to point out that OAuth is not an authentication protocol. It’s for delegation. OAuth is one of the most mis-used protocols on the modern web. If you really want to support end users, a good place to start is to make it clear to developers what OAuth is really for so secure solutions are built as opposed to the dumpster fire that OAuth solutions have become today.

https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does

Which suggests that if the OAuth solutions deployed today are dumpster fires, then ... well, that's what OAuth 2 does.

My biggest problem with OAuth as an outsider is that it doesn't solve the NxM problem.  You can't build a client which can OAuth against any arbitrary OAuth service that provides a standard protocol, because you need to get an API key for your particular application from each service provider.  This just doesn't scale, which is a large part of Phillip's complaint as well.

Of course, I came into the IETF having already read https://web.archive.org/web/20120731155632/http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ - which was one of the things which made me wary of the IETF in the first place, and keen to not let everything I touched get over-complicated.

Bron.

-- 
  Bron Gondwana, CEO, Fastmail Pty Ltd
  brong@fastmailteam.com